I'm trying to use autofs with Active Directory.
This works:
autofs_ldap_auth.conf:
<autofs_ldap_sasl_conf usetls="yes" tlsrequired="yes" authrequired="yes" clientprinc="nfs/myhost@MYDOMAIN" />
/etc/sysconfig/autofs:
LDAP_URI="ldap://domaincontroller1 ldap://domaincontroller2"
This also works if I replace the auth with a DIGEST-MD5 from GSSAPI (which gets used by default). Good so far.
However, I don't want to explicitly list the domain controllers. Discovering them via SRV records fails to work (even though logging clearly shows it's discovered the correct records). Going via a round-robin DNS target for th LDAP_URI also fails, as I think autofs expects the server to think of itself under the round-robin name, rather than its primary name, which breaks both DIGEST and GSSAPI.
Anyone got any pointers on how to make this work, or is just a bug that I should track down?
jh
On Jul 15, 2011, at 7:02 AM, John Hodrien J.H.Hodrien@leeds.ac.uk wrote:
I'm trying to use autofs with Active Directory.
This works:
autofs_ldap_auth.conf:
<autofs_ldap_sasl_conf usetls="yes" tlsrequired="yes" authrequired="yes" clientprinc="nfs/myhost@MYDOMAIN" />
/etc/sysconfig/autofs:
LDAP_URI="ldap://domaincontroller1 ldap://domaincontroller2"
This also works if I replace the auth with a DIGEST-MD5 from GSSAPI (which gets used by default). Good so far.
However, I don't want to explicitly list the domain controllers. Discovering them via SRV records fails to work (even though logging clearly shows it's discovered the correct records). Going via a round-robin DNS target for th LDAP_URI also fails, as I think autofs expects the server to think of itself under the round-robin name, rather than its primary name, which breaks both DIGEST and GSSAPI.
Anyone got any pointers on how to make this work, or is just a bug that I should track down?
Did you try the built-in round robin DNS, which is the domain name itself?
This works for me.
-Ross
On Fri, 15 Jul 2011, Ross Walker wrote:
Did you try the built-in round robin DNS, which is the domain name itself?
This works for me.
Works fine as long as I don't enable TLS, at which point it fails.
Jul 15 14:19:37 centos6 automount[15860]: init_ldap_connection: lookup(ldap): TLS required but START_TLS failed: Connect error
It appears to just be a bug in autofs. I've patched it with this:
http://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-5.0.5-check-each-dc...
and that fixes the problem with SRV records. I couldn't find anything exactly the same in bugzilla (although one thing against 6.0 that'd be fixed by this), so I'll post a bug there.
jh
On Fri, 15 Jul 2011, John Hodrien wrote:
On Fri, 15 Jul 2011, Ross Walker wrote:
Did you try the built-in round robin DNS, which is the domain name itself?
This works for me.
Works fine as long as I don't enable TLS, at which point it fails.
Jul 15 14:19:37 centos6 automount[15860]: init_ldap_connection: lookup(ldap): TLS required but START_TLS failed: Connect error
It appears to just be a bug in autofs. I've patched it with this:
http://www.kernel.org/pub/linux/daemons/autofs/v5/autofs-5.0.5-check-each-dc...
and that fixes the problem with SRV records. I couldn't find anything exactly the same in bugzilla (although one thing against 6.0 that'd be fixed by this), so I'll post a bug there.
Hmm, by putting it into bugzilla I discover I'm sending Ian Kent's patch back to Ian Kent at Redhat... ;)
jh